Tech tips and tricks from the world of network traffic and security monitoring

There was a question on the snort mailing list recently looking for ways to retrieve pcaps of flows that generate alerts.

Retrieve a PCAP containing all the packets that caused an alert

The PCAP must contain whole flows , not just the packet with the alert

This is a quick post to show you how you can do it in Trisul. I am not aware of any tool, free or commercial that offers a comparable feature.

Flow taggers

You must configure Flow Taggers to mark flows with alert information. For instructions see Flow Tagging By default, Trisul makes all flows that generate an alert with the tag IDS. You can create additional taggers, for example to mark flows with alert priorities or sigids.

Pulling up flows then packets

First retrieve all flows that generated an alert. Say with Signature ID sid-1000000122 .
Go to Tools > Explore Flows then search by typing tag=sid-1000000122 you will get a list of flows.

Fig: Searching by flow tag IDS, gives you all flows generating an alert

Fig: Get a PCAP for all result flows in bulk or one flow at a time

Simply click Download PCAP to get all the packets in a single PCAP correctly merged by timestamp.